Auth bypass in Calero Verasmart

CVE-2026-26333

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOA…

Vulnerability class: Broken Authentication

EPSS: 0.009 (56.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2026-26333?
CVE-2026-26333 is a critical-severity vulnerability in Calero Verasmart, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2026-02-13.
How severe is CVE-2026-26333?
Critical severity. CVSS v3 base score is 9.8 out of 10.